Defense, Mitigation, Protection
- Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations
- Hardware and Architectural Support for Security and Privacy (HASP)
- Hardware and Firmware Security Guidance
- Hardware Security @ UNC - https://cs.unc.edu/~csturton/HWSecurityatUNC/
- IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
- IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)
- International Workshop on Constructive Side-Channel Analysis and Secure Design (COSADE)
- Security Best Practices for Side Channel Resistance
- Side and Covert Channels: Attacks and Defenses
- Timing Channels - Trustworthy Systems - Data61
Defense - Branch Predictor
- BRB: Mitigating Branch Predictor Side-Channels
Defense - Cache
- A Benchmark Suite for Evaluating Caches' Vulnerability to Timing Attacks
- An Exploration of Effective Fuzzing for Side-channel Cache Leakage
- Analysis of Secure Caches Using a Three-Step Model for Timing-Based Attacks
- Architecting against Software Cache-Based Side-Channel Attacks
- Automated Detection of Instruction Cache Leaks in Modular Exponentiation Software
- Automated Software Protection for the Masses Against Side-Channel Attacks
- CacheAudit: A Tool for the Static Analysis of Cache Side Channels
- CacheD: Identifying Cache-Based Timing Channels in Production Software
- CacheShield: Protecting Legacy Processes Against Cache Attacks
- CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation
- CEASER: Mitigating Conflict-Based Cache Attacks via Encrypted-Address and Remapping
- Cyclone: Detecting Contention-Based Cache Information Leaks Through Cyclic Interference
- DAWG: A Defense Against Cache Timing Attacks in Speculative Execution Processors
- Did we learn from LLC Side Channel Attacks? A Cache Leakage Detection Tool for Crypto Libraries
- Fooling the Sense of Cross-core Last-level Cache Eviction based Attacker by Prefetching Common Sense
- How secure is your cache against side-channel attacks?
- HybCache: Hybrid Side-Channel-Resilient Caches for Trusted Execution Environments
- Meet the Sherlock Holmes’ of Side Channel Leakage: A Survey of Cache SCA Detection Techniques
- On the Incomparability of Cache Algorithms in Terms of Timing Leakage
- ScatterCache: Thwarting Cache Attacks via Cache Set Randomization
- SecDir: Secure Directories to Defeat Directory Side Channel Attacks
- Secure Hierarchy-Aware Cache Replacement Policy (SHARP): Defending Against Cache-Based Side Channel Attacks
- SmokeBomb: Effective Mitigation Against Cache Side-channel Attacks on the ARM Architecture
- Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory
Defense - Floating Point Unit (FPU)
- On the effectiveness of mitigations against floating-point timing channels
- Towards Verified, Constant-time Floating Point Operations
Defense - Hardware Design & Verification
- A Hardware Design Language for Timing-Sensitive Information-Flow Security
- Broad-Based Side-Channel Defenses for Modern Microprocessors
- Capability Hardware Enhanced RISC Instructions (CHERI): Notes on the Meltdown and Spectre Attacks
- CheckMate: Automated Exploit Program Generation for Hardware Security Verification
- Data Oblivious ISA Extensions for Side Channel-Resistant and High Performance Computing
- Network and Distributed System Security Symposium (NDSS) 2019
- Jiyong Yu, Lucas Hsiung, Mohamad El Hajj, Christopher W. Fletcher
- https://eprint.iacr.org/2018/808
- End-to-End Automated Exploit Generation for Validating the Security of Processor Designs
- Fast and Efficient Deployment of Security Defenses via Context Sensitive Decoding
- HyperFlow: A Processor Architecture for Nonmalleable, Timing-Safe Information Flow Security
- IODINE: Verifying Constant-Time Execution of Hardware
- Isolating Speculative Data to Prevent Transient Execution Attacks
- ParTI - Towards Combined Hardware Countermeasures against Side Channel and Fault Injection Attacks
- Principles of Secure Processor Architecture Design
- Provably Secure Isolation for Interruptible Enclaved Execution on Small Microprocessors
- IEEE Computer Security Foundations Symposium (CSF) 2020
- Matteo Busi, Job Noorman, Jo Van Bulck, Letterio Galletta, Pierpaolo Degano, Jan Tobias Mühlberg, Frank Piessens
- https://arxiv.org/abs/2001.10881
- Securing Processors from Time Side Channels
- Side Channel Analysis Protection and Low Latency in Action - Case Study of PRINCE and Midori
- SMT-COP: Defeating Side-Channel Attacks on Execution Units in SMT Processors
- Using Information Flow to Design an ISA That Controls Timing Channels
Defense - Software
- C++ Developer Guidance for Speculative Execution Side Channels
- Certified Side Channels
- USENIX Security Symposium 2020
- 2019 arXiv
- Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, Billy Bob Brumley
- https://arxiv.org/abs/1909.01785
- ctgrind
- CTTK (Constant-Time Toolkit)
- Cycle-Accurate Timing Channel Analysis of Binary Code
- dudect: dude, is my code constant time? - https://github.com/oreparaz/dudect
- KASLR is Dead: Long Live KASLR
- MicroWalk: A Framework for Finding Side Channels in Binaries
- Mitigating Speculative Attacks in Crypto
- Mitigating speculative execution side channel hardware vulnerabilities
- Principled Elimination of Microarchitectural Timing Channels through Operating-System Enforced Time Protection
- Provably Secure Countermeasures against Side-channel Attacks
- Rigorous Analysis of Software Countermeasures against Cache Attacks
- SafeSide: A project to understand and mitigate software-observable side-channels
- SideTrail: Verifying Time-Balancing of Cryptosystems
- Site Isolation: Process Separation for Web Sites within the Browser
- Time Protection: the Missing OS Abstraction
- Towards Practical Tools for Side Channel Aware Software Engineering: "Grey Box" Modelling for Instruction Leakages
- Verifying Constant-Time Implementations
- Verifying Constant-Time Implementations by Abstract Interpretation
- Why Constant-Time Crypto? - https://www.bearssl.org/constanttime.html
- You Shall Not Bypass: Employing data dependencies to prevent Bounds Check Bypass
Defense - Software - Compilation and Programming Languages
- Compiler mitigations for time attacks on modern x86 processors
- Compiler Strategies for Mitigating Timing Side Channel Attacks
- FaCT: A Flexible, Constant-Time Programming Language
- Mitigating Data Leakage by Protecting Memory-resident Sensitive Data
- P0928: Mitigating Spectre v1 Attacks in C++
- Provably secure compilation of side-channel countermeasures
- Secure Automatic Bounds Checking: Prevention Is Simpler Than Cure
- Speculative Load Hardening (a Spectre variant #1 mitigation)
Defense - Speculation
- A Formal Approach to Secure Speculation
- Abstract Interpretation under Speculative Execution
- An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities
- Beyond Spectre: Confronting New Technical and Policy Challenges: Proceedings of a Workshop
- CleanupSpec: An Undo Approach to Safe Speculation
- Conditional Speculation: An Effective Approach to Safeguard Out-of-Order Execution Against Spectre Attacks
- High-Performance Computer Architecture (HPCA) 2019
- Peinan Li, Lutan Zhao, Rui Hou; Lixin Zhang; Dan Meng
- Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization
- ConTExT: A Generic Approach for Mitigating Spectre
- Network and Distributed Systems Security (NDSS) Symposium 2020
- Michael Schwarz, Moritz Lipp, Claudio Canella, Robert Schilling, Florian Kargl, Daniel Gruss
- https://misc0110.net/files/context.pdf
- InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy
- KLEESpectre: Detecting Information Leakage through Speculative Cache Attacks via Symbolic Execution
- MI6: Secure Enclaves in a Speculative Out-of-Order Processor
- MuonTrap: Preventing Cross-Domain Spectre-Like Attacks by Capturing Speculative State
- NDA: Preventing Speculative Execution Attacks at Their Source
- oo7: Low-overhead Defense against Spectre Attacks via Program Analysis
- Pitchfork: Detecting Spectre vulnerabilities using symbolic execution
- SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation
- Securing the Memory Hierarchy from Speculative Side-Channel Attacks
- SPECCFI: Mitigating Spectre Attacks using CFI Informed Speculation
- arXiv 2019; IEEE S&P 2020
- Esmaeil Mohammadian Koruyeh, Shirin Haji Amin Shirazi, Khaled N. Khasawneh, Chengyu Song, Nael Abu-Ghazaleh
- https://arxiv.org/abs/1906.01345
- SpecFuzz: Bringing Spectre-type vulnerabilities to the surface
- arXiv 2019; USENIX Security 2020
- Oleksii Oleksenko, Bohdan Trach, Mark Silberstein, Christof Fetzer
- https://arxiv.org/abs/1905.10311
- SpecFuzz: A tool to enable fuzzing for Spectre vulnerabilities
- FOSDEM 2020
- SpecShield: Shielding Speculative Data from Microarchitectural Covert Channels
- Spectector: Principled Detection of Speculative Information Flows
- Spectre: Secrets, Side-Channels, Sandboxes, and Security
- Spectre is here to stay: An analysis of side-channels and speculative execution
- SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks
- Spectres, Virtual Ghosts, and Hardware Support
- Spectrum: Classifying, Replicating and Mitigating Spectre Attacks on a Speculating RISC-V Microarchitecture
- Speculative Taint Tracking (STT): A Comprehensive Protection for Speculatively Accessed Data
Arithmetic Logic Unit (ALU)
- Constant-Time Multiplication - https://www.bearssl.org/ctmul.html
- Share-slicing: Friend or Foe?
- When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015
Branch Predictor
- BranchScope: A New Side-Channel Attack on Directional Branch Predictor
- Covert Channels Through Branch Predictors: A Feasibility Study
- Exploiting branch target prediction
- Exploring Branch Predictors for Constructing Transient Execution Trojans
- Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
- On the Power of Simple Branch Prediction Analysis
- Predicting Secret Keys via Branch Prediction
- Understanding and Mitigating Covert Channels Through Branch Predictors
Cache
Cache (2020)
- Analysis and Detection of Cache-Based Exploits
- CacheOut: Leaking Data on Intel CPUs via Cache Evictions
- Leaking Information Through Cache LRU States
- Pseudorandom Black Swans: Cache Attacks on CTR_DRBG
- Safecracker: Leaking Secrets through Compressed Caches
- Stealthy Tracking of Autonomous Vehicles with Cache Side Channels
- Take A Way: Exploring the Security Implications of AMD’s Cache Way Predictors
- Website Fingerprinting Through the Cache Occupancy Channel and its Real World Practicality
Cache (2019)
- Attack Directories, Not Caches: Side Channel Attacks in a Non-Inclusive World
- IEEE Symposium on Security and Privacy (SP) 2019
- Mengjia Yan, Read Sprabery, Bhargava Gopireddy, Christopher Fletcher, Roy Campbell, Josep Torrellas
- http://iacoma.cs.uiuc.edu/iacoma-papers/ssp19.pdf
- http://iacoma.cs.uiuc.edu/iacoma-papers/PRES/present_ssp19.pdf
- http://iacoma.cs.uiuc.edu/iacoma-papers/PRES/present_HASP18.pptx
- "We design the first cross-core Prime+Probe attack on non-inclusive caches."
- "Using our Eviction Sets, we reverse engineer the directory structure in Skylake-X, and identify vulnerabilities in directory design that can be leveraged by cache-based side channel attacks."
- "Based on our EV construction results, we are able to reverse engineer part of the slice hash function in the Intel Skylake-X processor. Our goal here is to show that the slice hash function is not a simple XOR operation of selected physical address bits. This design is significantly different from the one in previous Intel processors such as SandyBridge and IvyBridge. Considering that all of the previous works on reverse-engineering slice hash functions, rely on the use of a simple XOR hash function, our results identify the need for more advanced reverse-engineering approaches."
- Cache-based Side Channels: Modern Attacks and Defenses
- The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
- Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries
Cache (2018)
- Are Coherence Protocol States vulnerable to Information Leakage?
- MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols
- MemJam: A False Dependency Attack against Constant-Time Crypto Implementations
- Robust Website Fingerprinting Through the Cache Occupancy Channel
- USENIX Security Symposium 2019; 2018 arXiv
- Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom
- https://arxiv.org/abs/1811.07153
Cache (2017)
- AutoLock: Why Cache Attacks on ARM Are Harder Than You Think
- Cache Side Channels: State of the Art and Research Opportunities
- Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud
Cache (2016)
- A High-Resolution Side-channel attack on the Last Level Cache
- A Software Approach to Defeating Side Channels in Last-Level Caches
- ARMageddon: How Your Smartphone CPU Breaks Software-Level Security and Privacy
- CacheBleed: A Timing Attack on OpenSSL Constant Time RSA
- Flush+Flush: A Fast and Stealthy Cache Attack
- Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices
Cache (2015)
- C5: Cross-Cores Cache Covert Channel
- Cache Attacks and Countermeasures: the Case of AES (Extended Version)
- Cache side channel attacks
- Last-Level Cache Side-Channel Attacks are Practical
Cache (2007-2014)
- An Analytical Model for Time-Driven Cache Attacks
- FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
- New Results on Instruction Cache Attacks
- Yet Another MicroArchitectural Attack: Exploiting I-cache
Cache - Data-Direct I/O (DDIO)
- NetCAT: Practical Cache Attacks from the Network
- Packet Chasing: Spying on Network Packets over a Cache Side-Channel
DRAM
- Another Flip in the Wall of Rowhammer Defenses
- Connecting the Dots: Privacy Leakage via Write-Access Patterns to the Main Memory
- DRAMA: How Your DRAM Becomes a Security Problem
- Drammer: Deterministic Rowhammer Attacks on Mobile Platforms
- Exploiting Correcting Codes: On the Effectiveness of ECC Memory Against Rowhammer Attacks
- Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript
- Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors
- Hammertime: a software suite for testing, profiling and simulating the rowhammer DRAM defect - https://github.com/vusec/hammertime
- Nethammer: Inducing Rowhammer Faults through Network Requests
- RAMBleed: Reading Bits in Memory Without Accessing Them
- Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
- Spying on Temperature using DRAM
- Thermal Covert Channels Leveraging Package-on-Package DRAM
- Throwhammer: Rowhammer Attacks over the Network and Defenses
- Understanding Rowhammer Attacks through the Lens of a Unified Reference Framework
- Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud
Electromagnetic (EM) Emanations
- A Method for Efficient Localization of Magnetic-field Sources Excited by the Execution of Instructions in a Processor
- A New Side-Channel Vulnerability on Modern Computers by Exploiting Electromagnetic Emanations from the Power Management Unit
- A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events
- A Survey of Electromagnetic Side-Channel Attacks and Discussion on their Case-Progressing Potential for Digital Forensics
- An Algorithm for Finding Carriers of Amplitude-modulated Electromagnetic Emanations in Computer Systems
- Capacity of the EM Covert/Side-Channel Created by the Execution of Instructions in a Processor
- Complete Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channels
- Detailed Tracking of Program Control Flow Using Analog Side-Channel Signals: A Promise for IoT Malware Detection and a Threat for Many Cryptographic Implementations
- EDDIE: EM-Based Detection of Deviations in Program Execution
- Electromagnetic Side Channel Information Leakage Created by Execution of Series of Instructions in a Computer Processor
- EMPROF: Memory Profiling via EM-Emanation in IoT and Hand-Held Devices
- EMSim: A Microarchitecture-Level Simulation Tool for Modeling Electromagnetic Side-Channel Signals
- FASE: Finding Amplitude-modulated Side-channel Emanations
- MagneticSpy: Exploiting Magnetometer in Mobile Devices for Website and Application Fingerprinting
- One & Done: A Single-Decryption EM-Based Attack on OpenSSL’s Constant-Time Blinded RSA
- Quantifying Information Leakage in a Processor Caused by the Execution of Instructions
- Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
- Side-Channel-Based Code-Execution Monitoring Systems - A Survey
- Spectral Profiling: Observer-Effect-Free Profiling by Monitoring EM Emanations
- The EM Side–Channel(s): Attacks and Assessment Methodologies
- Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations
- Zero-Overhead Profiling via Electromagnetic (EM) Emanations
Floating Point Unit (FPU)
- LazyFP: Leaking FPU Register State using Microarchitectural Side-Channels
- On Subnormal Floating Point and Abnormal Timing
FPGA
- Physical Side-Channel Attacks and Covert Communication on FPGAs: A Survey
- Recent Attacks and Defenses on FPGA-based Systems
FPGA remote attacks
(through (partial) access on configuration/bitstream)
- An Inside Job: Remote Power Analysis Attacks on FPGAs
- C3APSULe: Cross-FPGA Covert-Channel Attacks through Power Supply Unit Leakage
- FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES
- FPGA Side Channel Attacks without Physical Access
- FPGA-Based Remote Power Side-Channel Attacks
- FPGA Viruses
- JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms
- 2019 arXiv
- IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), Volume 2020, Issue 3
- Zane Weissman, Thore Tiemann, Daniel Moghimi, Evan Custodio, Thomas Eisenbarth, Berk Sunar
- https://arxiv.org/abs/1912.11523
- Leaky Wires: Information Leakage and Covert Communication Between FPGA Long Wires
- Measuring Long Wire Leakage with Ring Oscillators in Cloud FPGAs
- Reading Between the Dies: Cross-SLR Covert Channels on Multi-Tenant Cloud FPGAs
- Remote Inter-Chip Power Analysis Side-Channel Attacks at Board-Level
- Temperature-based covert channel in FPGA systems
- Temporal Thermal Covert Channels in Cloud FPGAs
- Timing Violation Induced Faults in Multi-Tenant FPGAs
- Voltage drop-based fault attacks on FPGAs using valid bitstreams
FPGA local attacks
(with physical access or within close proximity)
- Breakthrough Silicon Scanning Discovers Backdoor in Military Chip
- Electromagnetic Side-channel Attack against 28-nm FPGA Device
- Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series
- Side Channel Attack on Low Power FPGA Platform
FPGA attacks countermeasures
- Active Fences against Voltage-based Side Channels in Multi-Tenant FPGAs
- Checking for Electrical Level Security Threats in Bitstreams for Multi-Tenant FPGAs
- Generic side-channel countermeasures for reconfigurable devices
- Moats and drawbridges: An isolation primitive for reconfigurable hardware based systems
- Side-channel resistant crypto for less than 2,300 GE
GPU
- A complete key recovery timing attack on a GPU
- A Novel Side-Channel Timing Attack on GPUs
- Confidentiality Issues on a GPU in a Virtualized Environment
- Constructing and Characterizing Covert Channels on GPGPUs
- CUDA Leaks: Information Leakage in GPU Architectures
- Exploiting Bank Conflict-based Side-channel Timing Leakage of GPUs
- GPU Security Exposed: Exploiting Shared Memory
- GPUGuard: Mitigating Contention Based Side and Covert Channel Attacks on GPUs
- Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU
- Practical Microarchitectural Attacks from Integrated GPU
- RCoal: Mitigating GPU Timing Attack via Subwarp-based Randomized Coalescing Technique
- Rendered Insecure: GPU Side Channel Attacks are Practical
- Side Channel Attacks on GPUs
Interrupts
- An Empirical Bandwidth Analysis of Interrupt-Related Covert Channels
- Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic
Keyboard
- SoK: Keylogging Side Channels
- KeyDrown: Eliminating Software-Based Keystroke Timing Side-Channel Attacks
Magnetic
- MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields
- ODINI : Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields
Memory Bus
- An Off-Chip Attack on Hardware Enclaves via the Memory Bus
- GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies
- Whispers in the hyper-space: high-speed covert channel attacks in the cloud, USENIX Security 2012
Memory Order Buffer (MOB)
- Microarchitectural Minefields: 4K-Aliasing Covert Channel and Multi-Tenant Detection in IaaS Clouds
- SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks
Memory Management Unit (MMU)
- ASLR on the Line: Practical Cache Attacks on the MMU
- Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think
- RevAnC: A Framework for Reverse Engineering Hardware Page Table Caches
- Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution
Power
- A New Class of Covert Channels Exploiting Power Management Vulnerabilities
- CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management
- Leaky Noise: New Side-Channel Attack Vectors in Mixed-Signal IoT Devices
- On Code Execution Tracking via Power Side-Channel
- POWERT Channels: A Novel Class of Covert Communication Exploiting Power Management Vulnerabilities
Prefetch
- Harmful prefetch on Intel
- PAPP: Prefetcher-Aware Prime and Probe Side-channel Attack
- Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
- Unveiling Hardware-based Data Prefetcher, a Hidden Source of Information Leakage
- Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process
Pseudo-Random Number Generator (PRNG)
- Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations
Return Stack Buffer (RSB)
- CPU side-channels vs. virtualization rootkits: the good, the bad, or the ugly
- Reinforcing Meltdown Attack by Using a Return Stack Buffer
- ret2spec: Speculative Execution Using Return Stack Buffers
- Spectre Returns! Speculation Attacks using the Return Stack Buffer
SMT
- ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures
- Cache missing for fun and profit
- Cheap Hardware Parallelism Implies Cheap Security
- Covert Shotgun: Automatically finding covert channels in SMT
- Port Contention for Fun and Profit
- PortSmash (CVE-2018-5407): side-channel vulnerability on SMT/Hyper-Threading architectures
- SMoTherSpectre: exploiting speculative execution through port contention
Speculation
Transient execution attacks
Classification tree - http://transient.fail/
Proof-of-Concept Repository - https://github.com/IAIK/transientfail/
Refined Speculative Execution Terminology
https://software.intel.com/security-software-guidance/insights/refined-speculative-execution-terminology
- Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction
- Code That Never Ran: Modeling Attacks on Speculative Evaluation
- Covert and Side Channels due to Processor Architecture
- ExSpectre: Hiding Malware in Speculative Execution
- Foreshadow & L1 Terminal Fault (L1TF)
- Load Value Injection
- Meltdown & Spectre
- Meltdown - https://meltdownattack.com/
- USENIX Security 2018
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg
- https://meltdownattack.com/meltdown.pdf
- https://arxiv.org/abs/1801.01207
- Meltdown Proof-of-Concept - https://github.com/IAIK/meltdown
- http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html
- Black Hat USA 2018 - https://mlq.me/download/bhusa2018_meltdown_slides.pdf
- KASLR: Break It, Fix It, Repeat
- Spectre Attacks: Exploiting Speculative Execution - https://spectreattack.com/
- Reading privileged memory with a side-channel - Jann Horn
- Spectre and Meltdown: Data leaks during speculative execution - Real World Crypto 2018, Jann Horn (Google Project Zero)
- Paul Kocher: Spectre Mitigations in Microsoft's C/C++ Compiler
- ARM Whitepaper "Cache Speculation Side-channels" - https://developer.arm.com/support/security-update/download-the-whitepaper
- Behind the scenes of a bug collision - https://cyber.wtf/2018/01/05/behind-the-scene-of-a-bug-collision/
- CPU security bugs caused by speculative execution - https://github.com/marcan/speculation-bugs
- Intel Analysis of Speculative Execution Side Channels - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf
- meltdownspectre-patches: summary of the patch status - https://github.com/hannob/meltdownspectre-patches
- Mitigating Spectre variant 2 with Retpoline on Windows - https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618
- More details about mitigations for the CPU Speculative Execution issue - https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
- Retpoline: a software construct for preventing branch-target-injection - https://support.google.com/faqs/answer/7625886
- How Performance Optimizations Shatter Security Boundaries
- The Microarchitecture Behind Meltdown - http://blog.stuffedcow.net/2018/05/meltdown-microarchitecture/
- Microarchitectural Data Sampling (MDS)
- CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) - Fallout
- CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS) - RIDL
- Meltdown-MCA (microcode assists) - Zombieload
- Meltdown-US-LFB (line fill buffer) - CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS) - RIDL, ZombieLoad Variant 1
- Meltdown-P-LFB - CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - RIDL
- Meltdown-MCA-AD (accessed or dirty bit) - ZombieLoad Variant 3
- https://cpu.fail/
- https://mdsattacks.com/
- https://zombieloadattack.com/
- Fallout: Reading Kernel Writes From User Space
- 2019 arXiv
- Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Frank Piessens, Berk Sunar, Yuval Yarom
- https://arxiv.org/abs/1905.12701
- RIDL: Rogue In-Flight Data Load
- IEEE Symposium on Security and Privacy (S&P) 2019
- Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Giorgi Maisuradze, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida
- https://mdsattacks.com/files/ridl.pdf
- Addendum 1: TSX Asynchronous Abort (TAA)
- Addendum 2: L1D Eviction Sampling (L1DES), Vector Register Sampling (VRS)
- RIDL: Rogue In Flight Data Load
- Escaping the Chrome Sandbox with RIDL
- ZombieLoad: Cross-Privilege-Boundary Data Sampling
- Computer and Communications Security (CCS) 2019
- Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss
- https://arxiv.org/abs/1905.05726
- ZombieLoad Attack: Leaking Your Recent Memory Operations on Intel CPUs
- ZombieLoad: Leaking Data on Intel CPUs
- Additional readings:
- NetSpectre: Read Arbitrary Memory over Network
- On the Spectre and Meltdown Processor Security Vulnerabilities
- Out-of-Order Execution and Its Applications
- Speculative Buffer Overflows: Attacks and Defenses
- Speculator: Tool to Analyze Speculative Execution Attacks and Mitigations
- Speculose: Analyzing the Security Implications of Speculative Execution in CPUs
- SpeechMiner: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities
- Two methods for exploiting speculative control flow hijacks.
- WOOT @ USENIX Security Symposium 2019
- Andrea Mambretti, Alexandra Sandulescu, Matthias Neugschwandtner, Alessandro Sorniotti, Anil Kurmus
- http://ale.sopit.net/pdf/woot.pdf
Store Buffer
- Fallout: Reading Kernel Writes From User Space
- 2019 arXiv
- Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Frank Piessens, Berk Sunar, Yuval Yarom
- https://arxiv.org/abs/1905.12701
- CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS) - Fallout
Thermal
Translation Lookaside Buffer (TLB)
- Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs
- Translation Leak-aside Buffer: Defeating Cache Side-channel Protections with TLB Attacks
- Ben Gras, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
- https://www.vusec.net/projects/tlbleed/
- USENIX Security 2018
- TLBleed: When Protecting Your CPU Caches Is Not Enough
- Black Hat 2018
- Hardwear.io 2018
Trusted Execution Environments (TEEs)
- A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes
Arm TrustZone
- Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Intel SGX
- Cache Attacks on Intel SGX
- CacheZoom: How SGX Amplifies The Power of Cache Attacks
- CopyCat: Controlled Instruction-Level Attacks on Enclaves for Maximal Key Extraction
- Exploitable Hardware Features and Vulnerabilities Enhanced Side-Channel Attacks on Intel SGX and Their Countermeasures
- Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing
- Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX
- Malware Guard Extension: Using SGX to Conceal Cache Attacks
- MicroScope: Enabling Microarchitectural Replay Attacks
- Off-Limits: Abusing Legacy x86 Memory Segmentation to Spy on Enclaved Execution
- Racing in Hyperspace: Closing Hyper-Threading Side Channels on SGX with Contrived Data Races
- SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control
- SGXlinger: A New Side-Channel Attack Vector Based on Interrupt Latency Against Enclave Execution
- SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution
- Side Channels on Intel SGX - https://web.cse.ohio-state.edu/~zhang.834/projects/sgx-side-channels.html
- TSX-based Defenses Against SGX Side-channel Attacks - https://gts3.org/2018/tsgx-defense.html
- Tutorial: Uncovering and mitigating side-channel leakage in Intel SGX enclaves
- Varys: Protecting SGX Enclaves from Practical Side-Channel Attacks
TSX
- Breaking Kernel Address Space Layout Randomization with Intel TSX
- Meltdown-MCA-TAA
- Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX
Talks
2020
- Improving protections against speculative execution side channel
- Cryptographic Software in a Post-Spectre World
2019
- AcuTherm: A Hybrid Attack on Password Entry Based on Both Acoustic and Thermal Side-Channels
- Are Microarchitectural Attacks still possible on Flawless Hardware?
- Broad-Based Side-Channel Defenses for Modern Processor Architectures
- Ghosts in a Nutshell
- Hardware Is the New Software: Finding Exploitable Bugs in Hardware Designs
- NetSpectre: A Truly Remote Spectre Variant
- Oh No! KPTI Defeated, Unauthorized Data Leakage is Still Possible
- Spectre/C++: Preventing Spectre One Branch at a Time: The Design and Implementation of Fine Grained Spectre v1 Mitigation APIs
- Speculation & leakage: Timing side channels & multi-tenant computing
- What Spectre Means for Language Implementers
- Winter is Coming Back: Defeating the Most Advanced Rowhammer Defenses to Gain Root and Kernel Privileges
- Writing PoCs for processor software side-channels
2018
- A Christmas Carol - The Spectres of the Past, Present, and Future
- Behind the Speculative Curtain: The True Story of Fighting Meltdown and Spectre
- Beyond Belief: The Case of Spectre and Meltdown
- Exploiting modern microarchitectures: Meltdown, Spectre, and other hardware attacks
- Peering Behind the Turing Mirror
- Spectre: Exploiting Speculative Execution
- Spectre/Meltdown and What It Means for Future Chip Design
- Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution Side Channel Vulnerabilities
2017
- Android Security Symposium 2017 - Drammer: Flip Feng Shui goes mobile (Victor van der Veen)
- HackPra 2017 - Anders Fogh: "Covert shotgun: Automatically finding covert channels in SMT"
- HackPra 2017 - Victor van der Veen: "Drammer: The Making-Of" - https://www.youtube.com/watch?v=DF0k9yKYwfo
- hardwear.io 2017 - Shaking Trust in Hardware - Ben Gras & Kaveh Razavi
- HITB2017AMS D1T1 - Drammer: The Making Of - Victor van der Veen
- Papers We Love Singapore #026 (2017) - Row Hammer: Flipping Bits in Memory Without Accessing Them
- RuhrSec 2017: "A new categorization system for Side-channel attacks on mobile devices & more", Dr. Veelasha Moonsamy
- RuhrSec 2017: "Rowhammer Attacks: A Walkthrough Guide", Dr. Clémentine Maurice & Daniel Gruss
- RuhrSec 2017: "Using Microarchitectural Design to Break KASLR and More", Anders Fogh
- USENIX Security '17 - Strong and Efficient Cache Side-Channel Protection using Hardware Transactional Memory
2016
2015
2014
2009
- Defcon 17 - Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling
Tags:
hadware
assembly
native
reading
security
Last modified 16 December 2024